===========================================================================
ZMCIRT Vulnerability Bulletin
ZMC-2021.05.18.0700
Moodle: Multiple vulnerabilities
18th May 2021
===========================================================================
Product: Moodle
Publisher: Moodle
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-32478 CVE-2021-32477 CVE-2021-32476
CVE-2021-32475 CVE-2021-32474 CVE-2021-32473
CVE-2021-32472
Original Bulletin:
https://moodle.org/mod/forum/discuss.php?d=422305&parent=1701629
https://moodle.org/mod/forum/discuss.php?d=422307&parent=1701631
https://moodle.org/mod/forum/discuss.php?d=422308&parent=1701632
https://moodle.org/mod/forum/discuss.php?d=422309&parent=1701633
https://moodle.org/mod/forum/discuss.php?d=422310&parent=1701635
https://moodle.org/mod/forum/discuss.php?d=422313&parent=1701638
https://moodle.org/mod/forum/discuss.php?d=422314&parent=1701639
https://moodle.org/mod/forum/discuss.php?d=422315&parent=1701640
Comment: This bulletin contains eight (8) Moodle security advisories.
MSA-21-0012: Forum CSV export could result in posts from all courses being
exported
Teachers exporting a forum in CSV format could receive a CSV of forums from all
courses in some circumstances.
Severity/Risk: Serious
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8
Versions fixed: 3.11, 3.10.4, 3.9.7 and 3.8.9
Reported by: Daniel Konrad
Workaround: Remove the Export Forum (mod/forum:exportforum) capability
from non-admin roles/users until the patch
has been applied.
CVE identifier: CVE-2021-32472
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71359
Tracker issue: MDL-71359 Forum CSV export could result in posts from all
courses being exported
- --------------------------------------------------------------------------------
MSA-21-0013: Quiz unreleased grade disclosure via web service
It was possible for a student to view their quiz grade before it had been
released, using a quiz web service.
Severity/Risk: Serious
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and
earlier unsupported versions
Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by: Nadav Kavalerchik
CVE identifier: CVE-2021-32473
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70720
Tracker issue: MDL-70720 Quiz unreleased grade disclosure via web service
- --------------------------------------------------------------------------------
MSA-21-0014: Blind SQL injection possible via MNet authentication
An SQL injection risk existed on sites with MNet enabled and configured, via an
XML-RPC call from the connected peer host. Note that this required site
administrator access or access to the keypair.
Severity/Risk: Serious
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and
earlier unsupported versions
Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by: Rekter0
CVE identifier: CVE-2021-32474
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70804
Tracker issue: MDL-70804 Blind SQL injection possible via MNet authentication
- --------------------------------------------------------------------------------
MSA-21-0015: Stored XSS in quiz grading report via user ID number
ID numbers displayed in the quiz grading report required additional sanitizing
to prevent a stored XSS risk.
Severity/Risk: Minor
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and
earlier unsupported versions
Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by: Paul Holden
CVE identifier: CVE-2021-32475
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71130
Tracker issue: MDL-71130 Stored XSS in quiz grading report via user ID number
- --------------------------------------------------------------------------------
MSA-21-0016: Files API should mitigate denial-of-service risk when adding to
the draft file area
A denial-of-service risk was identified in the draft files area, due to it not
respecting user file upload limits.
Severity/Risk: Serious
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and
earlier unsupported versions
Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by: Ben Samtleben
CVE identifier: CVE-2021-32476
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69028
Tracker issue: MDL-69028 Files API should mitigate denial-of-service risk
when adding to the draft file area
- --------------------------------------------------------------------------------
MSA-21-0017: Last app access time is visible to non-site-admins on user profile
page
The last time a user accessed the mobile app is displayed on their profile
page, but should be restricted to users with the relevant capability (site
administrators by default).
Severity/Risk: Minor
Versions affected: 3.10 to 3.10.3
Versions fixed: 3.11 and 3.10.4
Reported by: Strifel
CVE identifier: CVE-2021-32477
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71513
Tracker issue: MDL-71513 Last app access time is visible to non-site-admins
on user profile page
- --------------------------------------------------------------------------------
MSA-21-0018: Reflected XSS and open redirect in LTI authorization endpoint
The redirect URI in the LTI authorization endpoint required extra sanitizing to
prevent reflected XSS and open redirect risks.
Severity/Risk: Minor
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier
unsupported versions
Versions fixed: 3.11, 3.10.4, 3.9.7 and 3.8.9
Reported by: Jordan Tomkinson
CVE identifier: CVE-2021-32478
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70622
Tracker issue: MDL-70622 Reflected XSS and open redirect in LTI authorization
endpoint
- --------------------------------------------------------------------------------
MSA-21-0019: Upgrade H5P PHP library to latest minor version (upstream)
The H5P PHP library included with Moodle has been upgraded to the latest minor
version, which includes a security fix.
Severity/Risk: Serious
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8
Versions fixed: 3.11, 3.10.4, 3.9.7 and 3.8.9
Reported by: Sara Arjona
CVE identifier: N/A
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71408
Tracker issue: MDL-71408 Upgrade H5P PHP library to latest minor version
(upstream)
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Internet Email: report@cirt.zm
Telephone: 7070
ZMCIRT personnel answer during Zambian business hours
which are 8am to 5pm.
On call after hours for member emergencies only.
===========================================================================
Copyright @2023 ZAMBIA CIRT